Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Jul 2002 16:12:50 +0200
From:      Buki <dev@null.cz>
To:        Peter Brezny <peter@skyrunner.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response
Message-ID:  <20020702161250.A57959@veverka.sh.cvut.cz>
In-Reply-To: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>; from peter@skyrunner.net on Tue, Jul 02, 2002 at 08:47:37AM -0400
References:  <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote:
> I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE
> FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the
> problem listed in CA-2002-18 from CERT.
> 
> it doesn't appear so since it's running Openssh_2.9 and
> http://openssh.org/txt/preauth.adv  clearly says that freebsd is vulnerable.
> 
> 
> I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9
> FreeBSD localisations 20020307 was not vulnerable, however, I can't find it
> now.
> 
> Since there doesn't appear to be a security advisory or notice from the
> freebsd security team on this one yet, what's the best thing to do?

the Best Thing(tm) is to stay calm :)

> 
> Manually update to openssh 3.4?  Is an update to the base system in the
> works?
>

you may either manually upgrade to OpenSSH 3.4 (/usr/ports/security/openssh-portable)
or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many
people on this list said before. But YMMV.
 
> TIA
> 
> 
> Peter Brezny
> Skyrunner.net
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

Buki
-- 
PGP public key: http://dev.null.cz/buki.asc

		/"\
		\ /     ASCII Ribbon Campaign
		 X      Against HTML & Outlook Mail
		/ \     http://www.thebackrow.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020702161250.A57959>